Posted
by
BeauHDon Tuesday February 27, 2018 @05:38PM
from the super-risky dept.

An anonymous reader quotes a report from CNBC: During a recent "Ask Me Anything" session on Reddit, the Microsoft co-founder said that the main feature of cryptocurrencies is the anonymity they provide to buyers, and Gates thinks that can actually be harmful. "The government's ability to find money laundering and tax evasion and terrorist funding is a good thing," he wrote. "Right now, cryptocurrencies are used for buying fentanyl and other drugs, so it is a rare technology that has caused deaths in a fairly direct way." When a Reddit user pointed out that plain cash can also be used for illicit activities, Gates said that crypto stands out because it can be easier to use. "Yes -- anonymous cash is used for these kinds of things, but you have to be physically present to transfer it, which makes things like kidnapping payments more difficult," he wrote. Gates also warned that the wave of speculation surrounding cryptocurrencies is "super risky for those who go long."

Posted
by
msmash
on Tuesday February 27, 2018 @10:05AM
from the up-next dept.

An anonymous reader shares a report: Microsoft has released an updated guide on driver security. This new guide offers advice that developers could use to ensure Windows drivers are secured against basic attacks and preventable flaws. The new guide -- also available as a one-document PDF -- is authored by Microsoft's Don Marshall and comes to replace an older help page. [...] While the driver security checklist is a must-read for any software developer and not just driver authors, the guide on assessing "threat modeling for drivers" is also something that software engineers should take a peek at.

Posted
by
msmash
on Monday February 26, 2018 @11:00PM
from the up-next dept.

Chromebook users may soon have a simpler way to run their favorite Linux distribution and applications on Google's Chrome OS hardware. From a report: As spotted by Chrome Unboxed, there's a newly merged commit in Chromium Gerrit describing a "new device policy to allow Linux VMs on Chrome OS." A related entry suggests support could come with Chrome OS version 66, which is due out in stable release around April 24, meaning Google might announce it at its annual IO developer conference, which starts on May 8. Developers can already use a tool called Crouton to install and run Linux on Chrome OS, but there is a security trade-off because Chrome OS needs to be switched to developer mode to use it. There's also a Crouton extension called Xiwi to enable using an OS in a browser window on Chrome OS. However, it too requires developer mode to be enabled. A recent commit suggests Chrome developers are working on a project called Crostini that may solve the developer mode problem by allowing Linux VMs to run inside a container.

Posted
by
BeauHDon Monday February 26, 2018 @09:25PM
from the collecting-dust dept.

The original Apple TV, first introduced in 2007, will no longer be able to connect to the iTunes Store due to new security changes to be implemented by Apple. The news comes from a support document, which also mentions that PCs running Windows XP or Windows Vista will lose access to the most recent version of iTunes. Ars Technica reports: According to the document, the "obsolete" original Apple TV won't be updated in the future to support access to the iTunes Store. After May 25, users will only be able to access iTunes on second-generation Apple TVs and newer streaming devices. The same security changes affecting the first-gen Apple TV will also affect Windows XP and Vista machines. Users on such devices can still run previous versions of iTunes, so they should still be able to play their music library without problems. However, affected users won't be able to make new iTunes purchases or re-download previous purchases. Only machines running Windows 7 or later after May 25 will have full access to iTunes, including the ability to make new purchases and re-download older purchases.

Posted
by
BeauHDon Monday February 26, 2018 @06:40PM
from the eyes-peeled dept.

An anonymous reader quotes a report from TechCrunch: There's an interesting concept making its way around Mobile World Congress. Two gadgets offer cameras hidden until activated, which offer a fresh take on design and additional privacy. Vivo built a camera into a smartphone concept that's on a little sliding tray and Huawei will soon offer a MacBook Pro clone that features a camera hidden under a door above the keyboard. This could be a glimpse of the future of mobile design. Cameras have long been embedded in laptops and smartphones much to the chagrin of privacy experts. Some users cover up these cameras with tape or slim gadgets to ensure nefarious players do not remotely activate the cameras. Others, like HP, have started to build in shutters to give the user more control. Both DIY and built-in options require substantial screen bezels, which the industry is quickly racing to eliminate.

With shrinking bezels, gadget makers have to look for new solutions like the iPhone X notch. Others still, like Vivo and Huawei, are look at more elegant solutions than carving out a bit of the screen. For Huawei, this means using a false key within the keyboard to house a hidden camera. Press the key and it pops up like a trapdoor. We tried it out and though the housing is clever, the placement makes for awkward photos -- just make sure you trim those nose hairs before starting your conference call. Vivo has a similar take to Huawei though the camera is embedded on a sliding tray that pops-up out of the top of the phone.

Posted
by
BeauHDon Monday February 26, 2018 @04:43PM
from the fresh-coat-of-paint dept.

An anonymous reader quotes a report from CNBC: A file that Apple updated on its website last month provides the first acknowledgment that it's relying on Google's public cloud for data storage for its iCloud services. The disclosure is fresh evidence that Google's cloud has been picking up usage as it looks to catch up with Amazon and Microsoft in the cloud infrastructure business. Some media outlets reported on Google's iCloud win in 2016, but Apple never provided confirmation. Apple periodically publishes new versions of a PDF called the iOS Security Guide. For years the document contained language indicating that iCloud services were relying on remote data storage systems from Amazon Web Services, as well as Microsoft's Azure. But in the latest version, the Microsoft Azure reference is gone, and in its place is Google Cloud Platform. Before the January update, Apple most recently updated the iOS Security Guide in March. The latest update doesn't indicate whether Apple is using any Google cloud services other than core storage of "objects" like photos and videos. The document also doesn't make it clear when Apple started storing data in Google's cloud.

Posted
by
msmash
on Monday February 26, 2018 @03:10PM
from the security-woes dept.

Cellebrite, an Israel-based company, knows of ways to unlock every iPhone that's on the market, right up to the iPhone X, Forbes reported on Monday, citing sources. From the report: Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11 . That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.

The Israeli firm, a subsidiary of Japan's Sun Corporation, hasn't made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren't authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company's literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11." Separately, a source in the police forensics community told Forbes he'd been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple's newest devices worked in much the same way.

Posted
by
msmash
on Monday February 26, 2018 @02:45PM
from the bigger-picture dept.

Microsoft CEO Satya Nadella on Monday suggested that Microsoft could grow more from its Office 365 line of cloud productivity apps than anything in the company's 43-year history. From a report: With business editions of Office 365, Microsoft faces competition from Google, as well as younger players like Box and Dropbox, in the race to get companies collaborating in apps running on remote cloud servers. "The growth opportunity for what is Office 365 is a lot bigger than anything we've achieved, even with our high penetration in the client-server world," Nadella said at the Morgan Stanley Technology Media and Telecom conference in San Francisco. When companies transition from Microsoft's traditional licensing business to cloud-based subscriptions, it's "not a one-for-one move," Nadella told Morgan Stanley analyst Keith Weiss at the event. Microsoft recently introduced the Microsoft 365 bundle, which includes Office as well as Windows, along with enterprise security and mobility services. Nadella also talked up the company's potential in the Azure public cloud infrastructure business, where it competes with Google as well as Amazon Web Services. "We had a good business in our server business, but this business is orders of magnitude bigger than what used to be a successful server business," he said.

Posted
by
BeauHDon Monday February 26, 2018 @05:00AM
from the de-contaminated dept.

Scientists are worried that space aliens might send messages that worm their way into human society -- not to steal our passwords but to bring down our culture. "Astrophysicists Michael Hippke and John Learned argue in a recent paper that our telescopes might pick up hazardous messages sent our way -- a virus that shuts down our computers, for example, or something a bit like cosmic blackmail: 'Do this for us, or we'll make your sun go supernova and destroy Earth,'" reports NBC News. "Or perhaps the cosmic hackers could trick us into building self-replicating nanobots, and then arrange for them to be let loose to chew up our planet or its inhabitants." From the report: The astrophysicists also suggest that the extraterrestrials could show their displeasure (what did we do?) by launching a cyberattack. Maybe you've seen the 1996 film "Independence Day," in which odious aliens are vanquished by a computer virus uploaded into their machinery. That's about as realistic as sabotaging your neighbor's new laptop by feeding it programs written for the Commodore 64. In other words, aliens that could muster the transmitter power (not to mention the budget) to try wiping us out with code are going to have a real compatibility problem.

Yet there is a way that messages from space might be disruptive. Extraterrestrials could simply give us some advanced knowledge -- not as a trade, but as a gift. How could that possibly be a downer? Imagine: You're a physicist who has dedicated your career to understanding the fundamental structure of matter. You have a stack of reprints, a decent position, and a modicum of admiration from the three other specialists who have read your papers. Suddenly, aliens weigh in with knowledge that's a thousand years ahead of yours. So much for your job and your sense of purpose. If humanity is deprived of the opportunity to learn things on its own, much of its impetus for novelty might evaporate. In a society where invention and discovery are written out of the script, progress and improvement would suffer.

Posted
by
msmash
on Sunday February 25, 2018 @04:00PM
from the security-woes dept.

Zack Whittaker, writing for ZDNet Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims. New research by Recorded Future's Insikt Group found that hackers and malicious actors are obtaining legitimate certificates from issuing authorities in order to sign malicious code. That's contrary to the view that in most cases certificates are stolen from companies and developers and repurposed by hackers to make malware look more legitimate. Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn't been tampered with in some way. Most modern operating systems, including Macs , only run code-signed apps by default.

Posted
by
msmash
on Sunday February 25, 2018 @03:00PM
from the how-about-that dept.

From a blog post on MIT News Office:Veil would provide added protections to people using shared computers in offices, hotel business centers, or university computing centers, and it can be used in conjunction with existing private-browsing systems and with anonymity networks such as Tor, which was designed to protect the identity of web users living under repressive regimes. "Veil was motivated by all this research that was done previously in the security community that said, 'Private-browsing modes are leaky -- Here are 10 different ways that they leak,'" says Frank Wang, an MIT graduate student in electrical engineering and computer science and first author on the paper. "We asked, 'What is the fundamental problem?' And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser's best effort is, it still collects it. We might as well not collect that information in the first place."

Posted
by
msmash
on Sunday February 25, 2018 @10:00AM
from the security-woes dept.

Ellen Nakashima, reporting for the Washington Post: Russian military spies hacked several hundred computers used by authorities at the 2018 Winter Olympic Games in South Korea[Editor's note: the link may be paywalled; alternative source], according to U.S. intelligence. They did so while trying to make it appear as though the intrusion was conducted by North Korea, what is known as a "false-flag" operation, said two U.S. officials who spoke on the condition of anonymity to discuss a sensitive matter. Officials in PyeongChang acknowledged that the Games were hit by a cyberattack during the Feb. 9 Opening Ceremonies but had refused to confirm whether Russia was responsible. That evening there were disruptions to the Internet, broadcast systems and the Olympics website. Many attendees were unable to print their tickets for the ceremony, resulting in empty seats.

Posted
by
EditorDavid
on Saturday February 24, 2018 @08:04PM
from the we-know-what's-best-for-you dept.

chicksdaddy brings this report from Security Ledger:The Security Innovation Center, with backing of powerful tech industry groups, is arguing that letting consumers fix their own devices will empower hackers. The group released a survey last week warning of possible privacy and security risks should consumers have the right to repair their own devices. It counts powerful electronics and software industry organizations like CompTIA, CTIA, TechNet and the Consumer Technology Association as members... In an interview with The Security Ledger, Josh Zecher, the Executive Director of The Security Innovation Center, acknowledged that Security Innovation Center's main purpose is to push back on efforts to pass right to repair laws in the states.

He said the group thinks such measures are dangerous, citing the "power of connected products and devices" and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves... Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety... "People say 'It's just my washing machine. Why can't I fix it on my own?' But we saw the Mirai botnet attack last year... Those kinds of products in the wrong hands can be used to do bad things."

Posted
by
BeauHDon Friday February 23, 2018 @06:00PM
from the remote-control dept.

An anonymous reader quotes a report from Motherboard: The vulnerability was found and reported by a security researcher on December 19 of last year, but it hasn't been revealed until now. Within a day, T-Mobile classified it as "critical," patched the bug, and gave the researcher a $5,000 reward. That's good news, but it's unclear how long the site was vulnerable and whether any malicious hackers found and exploited the bug before it was fixed. The newly disclosed bug allowed hackers to log into T-Mobile's account website as any customer. "It's literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down," Scott Helme, a security researcher who reviewed the bug report, told Motherboard in an online chat. Shortly after we published this story, a T-Mobile spokesperson sent us a statement: "This bug was confidentially reported through our Bug Bounty program in December and fixed within a matter of hours," the emailed statement read. "We found no evidence of customer information being compromised."

Posted
by
msmash
on Friday February 23, 2018 @05:20PM
from the what's-happening? dept.

Louise Matsakis, writing for Wired: The internet is full of Facebook users frustrated with how the company handles malware threats. For nearly four years, people have complained about Facebook's anti-malware scan on forums, Twitter, Reddit, and on personal blogs. The problems appear to have gotten worse recently. While the service used to be optional, Facebook now requires it if it flags your device for malware. And according to screenshots reviewed by WIRED from people recently prompted to run the scan, Facebook also no longer allows every user to select what type of device they're on. The malware scans likely only impact a relatively small population of Facebook's billions of users, some of whose computers may genuinely be infected. But even a fraction of Facebook's users still potentially means millions of impacted people.

The mandatory scan has caused widespread confusion and frustration; WIRED spoke to people who had been locked out of their accounts by the scan, or simply baffled by it, on four different continents. The mandatory malware scan has downsides beyond losing account access. Facebook users also frequently report that the feature is poorly designed, and inconsistently implemented. In some cases, if a different user logs onto Facebook from the same device, they sometimes won't be greeted with the malware message. Similarly, if the "infected" user simply switches browsers, the message also appears to occasionally go away.

Posted
by
msmash
on Friday February 23, 2018 @03:20PM
from the closer-look dept.

An anonymous reader writes: You've arrived at the airport early. You have already selected the perfect seat. You've employed all possible tricks for making the check-in and security processes zoom by. But there's still some blood-pressure-raising chaos you can't avoid: boarding. From impatient fellow travelers who are determined to beat you onto the plane to passengers who insist on jamming their too-big carry-ons into overhead bins, making your way to your seat can be straight-up hellish -- and Wired's Alex Davies offers up a cheery explanation of why the situation is unlikely to improve any time soon. It's not that airlines aren't trying. In fact, United is in the middle of a months-long test at LAX that involves splitting its five groups of passengers into two lines, instead of five, to see whether that will make boarding less painful. But there are some basic measures that airlines could be taking to speed things up -- offering free baggage check, for instance, or cutting down on early boarding perks -- if they weren't so worried about their bottom lines. "The question for the airlines, then, is not how to get everyone onto a plane as quickly as possible," Davies writes. "It's how to get everyone onto a plane as quickly as possible while still charging them extra for bags, doting on the regular customers, and maintaining the system that, like all class structures, serves whoever built it."

Posted
by
msmash
on Friday February 23, 2018 @01:10PM
from the security-woes dept.

More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai. From a report: The cloud delivery provider's latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month. It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts. Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.

Posted
by
msmash
on Friday February 23, 2018 @12:00PM
from the better-late-than-never dept.

OpenBSD's Meltdown patch has landed, in the form of a Version 11 code update that separates user memory pages from the kernel's -- pretty much the same approach as was taken in the Linux kernel. From a report: A few days after the Meltdown/Spectre bugs emerged in January, OpenBSD's Phillip Guenther responded to user concerns with a post saying the operating system's developers were working out what to do. Now he's revealed the approach used to fix the free OS: "When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread's real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace." That explanation is somewhat obscure to non-developers, but there's a more readable discussion of what the project's developers had in mind from January, here.

Posted
by
msmash
on Friday February 23, 2018 @11:20AM
from the real-meltdown dept.

Intel Corp did not inform U.S. cyber security officials of Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday. From a report: Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities. Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.

Posted
by
BeauHDon Thursday February 22, 2018 @11:30PM
from the update-required dept.

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."